The breach was first reported by cybersecurity portal, KrebsOnSecurity. “Wipro is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers,” the report said, citing unidentified sources.
The sources pointed out that Wipro systems were being used for running a phishing campaign targeting a dozen Wipro customers, who traced malicious and suspicious network reconnaissance activity (a process for testing potential vulnerabilities in a computer network) back to systems that were communicating with Wipro’s network. According to one of the sources, Wipro is building a new private email network as they believed that the attackers had breached their email system.
The report further said the breach is believed to be by state sponsored attackers and that Wipro has been dealing with the hacking for over month.
KrebsOnSecurity reached out to Wipro on 9 April for comment. Wipro didn’t comment on any of those questions directly but issued a statement: “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”
One source familiar with the forensic investigation at a Wipro customer said it appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients. That source declined to name the other clients.
Wipro has more than 170,000 employees helping clients across six continents with Fortune 500 customers in healthcare, banking, communications and other industries.
What does Wipro say?
Wipro says it is investigating following an advanced phishing campaign targeting its employees. The firm sent me the following statement by email: “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.
“We are leveraging our industry-leading cyber security practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness.”
Who are Wipro’s customers?
Many of Wipro’s customers cover industries that would be a major target for hackers – especially the state-sponsored. They include oil and gas, automotive, aerospace and defense, banking and healthcare organizations among other industries.
Among the named current and former customer case studies on Wipro’s website are RHT Health Trust and LA Care Healthplan. But Wipro has had a few issues over the last year. In September 2018, one healthcare client, Nebraska Department of Health and Human Services suddenly ordered Wipro to halt its work on the upgrade to the state’s Medicaid enrolment system. Wipro is now suing the organization.
And just a month earlier the firm had paid $75 million to settle a lawsuit after it botched an SAP implementation on the US National Grid.
What does it mean?
Wipro’s share price had fallen on April 16.
Wipro announced its fourth quarter earnings on April 16, but it is unlikely that this incident will have had any immediate impact on the firm, says Tom Tahany, intelligence analyst at Blackstone Consultancy. However, fast forward six or 12 months – and that could be very different.
“The possible reputational damage which Wipro will have to combat is likely to be the toughest to manage and overcome. It is too early to say whether they will succeed in overcoming this, but it is certain that their PR machine is currently working overtime to try and soften the hit both immediately in terms of current share prices, and in the longer term.”
This is not the first attack of this nature, says Tahany. He points out that in January of this year, the US National Counterintelligence and Security Center launched a campaign to warn businesses about the risks related to cyber-attacks from foreign intelligence entities. “They identified corporate supply chains as one of the primary targets, wherein actors attack a business’ suppliers to gain access to the end client’s corporate network. It seems highly likely that Wipro was used as the soft underbelly to breach third parties.”
Meanwhile, Krebs mentions a “curious, if only coincidental, development” that took place on April 4, 2019. The Indian government sold “enemy” shares in Wipro worth around $166 million. Enemy shares are apparently so called because they were originally held by people who migrated to Pakistan or China and are not Indian citizens any longer. According to the Business Standard, the buyers were state-owned Life Insurance Corporation of New India Assurance and General Insurance Corporation.
Whoever was responsible for the breach, third party companies will always be a target for attackers looking for weak points. It’s important for outsourcing firms to look carefully at their own security – and for clients to be careful about who they trust.